The Domain Name System (DNS) is a hierarchical distributed naming system for devices connected to the Internet or a private network. The DNS translates easily memorized domain names to the numerical IP addresses needed to locate devices. For example, the domain name www.example.com translates to the addresses 93.184.216.119 (IPv4) and 2606:2800:220:6d:26bf:1447:1079:aa7 (IPv6).
A domain name comprises one or more parts, called labels, which are concatenated and delimited by dots. For the domain www.example.com, the right-most label expresses the top-level domain; in this case the top-level domain is “com”. The hierarchy moves from right to left. Each label to the left specifies a subdomain of the domain to the right. Relying upon the same example, the label “example” is a subdomain of the “com” domain, while “www” is a subdomain of “examples.com”. Subdomains may have up to 127 levels.
The DNS may be used for nefarious purposes. Consider network 100. An attack machine 101 operates as a command and control center for a coordinated attack. In particular, the attack machine 101 uses network 102 to access a set of compromised machines 104_1, 104_2 through 104_N. Machine 104_N resides in a local network infrastructure 106 (e.g., an Internet Service Provider or ISP). An open resolver 107 and name server 108 also reside in the network 106. Network 106 is connected to another network 110, which is coupled to a name server 112, which is an authoritative name server. The authoritative name server 112 is responsible for supported domains. The authoritative name server 112 may delegate authority over subdomains to other name servers, such as recursive name server 108. The open resolver 107 may also be used to support subdomains.
The compromised machines 104 form a botnet, which the attack machine 101 coordinates to send a flood of requests to the recursive name server 108 of network 106. Additionally the attacker may flood requests through the open resolver 107. Each request contains a unique, randomized, and non-existent subdomain of a previously registered domain (e.g., kbsruxixqfwww.examples.com, adujqzutahyp.www.examples.com). Because of the uniqueness of the subdomains, each request will then trigger a recursive lookup against the domain's name server. As the attack grows in numbers, the amount of requests hitting the intended target's DNS resolver infrastructure grows as well. Eventually the target's DNS resolver infrastructure buckles under the load, either from system resource depletion, network saturation, or both.
A major source of DNS infrastructure abuse comes from open resolvers (e.g., 107) residing within an ISP's network (e.g., 106). Open resolvers are typically commodity devices used for home networking that are misconfigured to allow access from outside the local network. These devices are independently managed and are often running out of date firmware with known exploits. This is a difficult problem for ISPs to address because they have limited control, if any, over these devices, and no way to separate legitimate from malicious traffic.
The other major source of abuse comes from compromised machines 104. Compromised machines are costly to remediate, and ISPs are hesitant to take broader action for fear of upsetting their customers.
In view of the foregoing, it would be desirable to establish techniques for identifying DNS resource exhaustion attacks.